fix: 보안 취약점 수정 및 XSS 방지 적용

## 백엔드 보안 수정 - 하드코딩된 비밀번호 및 JWT 시크릿 폴백 제거 - SQL Injection 방지를 위한 화이트리스트 검증 추가 - 인증 미적용 API 라우트에 requireAuth 미들웨어 적용 - CSRF 보호 미들웨어 구현 (csrf.js) - 파일 업로드 보안 유틸리티 추가 (fileUploadSecurity.js) - 비밀번호 정책 검증 유틸리티 추가 (passwordValidator.js) ## 프론트엔드 XSS 방지 - api-base.js에 전역 escapeHtml() 함수 추가 - 17개 주요 JS 파일에 escapeHtml 적용: - tbm.js, daily-patrol.js, daily-work-report.js - task-management.js, workplace-status.js - equipment-detail.js, equipment-management.js - issue-detail.js, issue-report.js - vacation-common.js, worker-management.js - safety-report-list.js, nonconformity-list.js - project-management.js, workplace-management.js ## 정리 - 백업 폴더 및 빈 파일 삭제 - SECURITY_GUIDE.md 문서 추가 Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-05 06:33:10 +09:00
parent 7c38c555f5
commit 36f110c90a
97 changed files with 2523 additions and 24267 deletions
--- a/web-ui/js/nonconformity-list.js
+++ b/web-ui/js/nonconformity-list.js
@@ -121,17 +121,18 @@ function renderIssues(issues) {
      minute: '2-digit'
    });

-    // 위치 정보
-    let location = issue.custom_location || '';
+    // 위치 정보 (escaped)
+    let location = escapeHtml(issue.custom_location || '');
    if (issue.factory_name) {
-      location = issue.factory_name;
+      location = escapeHtml(issue.factory_name);
      if (issue.workplace_name) {
-        location += ` - ${issue.workplace_name}`;
+        location += ` - ${escapeHtml(issue.workplace_name)}`;
      }
    }

    // 신고 제목 (항목명 또는 카테고리명)
-    const title = issue.issue_item_name || issue.issue_category_name || '부적합 신고';
+    const title = escapeHtml(issue.issue_item_name || issue.issue_category_name || '부적합 신고');
+    const categoryName = escapeHtml(issue.issue_category_name || '부적합');

    // 사진 목록
    const photos = [
@@ -142,15 +143,22 @@ function renderIssues(issues) {
      issue.photo_path5
    ].filter(Boolean);

+    // 안전한 값들
+    const safeReportId = parseInt(issue.report_id) || 0;
+    const validStatuses = ['reported', 'received', 'in_progress', 'completed', 'closed'];
+    const safeStatus = validStatuses.includes(issue.status) ? issue.status : 'reported';
+    const reporterName = escapeHtml(issue.reporter_full_name || issue.reporter_name || '-');
+    const assignedName = issue.assigned_full_name ? escapeHtml(issue.assigned_full_name) : '';
+
    return `
-      <div class="issue-card" onclick="viewIssue(${issue.report_id})">
+      <div class="issue-card" onclick="viewIssue(${safeReportId})">
        <div class="issue-header">
-          <span class="issue-id">#${issue.report_id}</span>
-          <span class="issue-status ${issue.status}">${STATUS_LABELS[issue.status] || issue.status}</span>
+          <span class="issue-id">#${safeReportId}</span>
+          <span class="issue-status ${safeStatus}">${STATUS_LABELS[issue.status] || escapeHtml(issue.status || '-')}</span>
        </div>

        <div class="issue-title">
-          <span class="issue-category-badge">${issue.issue_category_name || '부적합'}</span>
+          <span class="issue-category-badge">${categoryName}</span>
          ${title}
        </div>

@@ -160,7 +168,7 @@ function renderIssues(issues) {
              <path d="M20 21v-2a4 4 0 0 0-4-4H8a4 4 0 0 0-4 4v2"/>
              <circle cx="12" cy="7" r="4"/>
            </svg>
-            ${issue.reporter_full_name || issue.reporter_name}
+            ${reporterName}
          </span>
          <span class="issue-meta-item">
            <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
@@ -180,7 +188,7 @@ function renderIssues(issues) {
            ${location}
          </span>
          ` : ''}
-          ${issue.assigned_full_name ? `
+          ${assignedName ? `
          <span class="issue-meta-item">
            <svg width="14" height="14" viewBox="0 0 24 24" fill="none" stroke="currentColor" stroke-width="2">
              <path d="M17 21v-2a4 4 0 0 0-4-4H5a4 4 0 0 0-4 4v2"/>
@@ -188,7 +196,7 @@ function renderIssues(issues) {
              <path d="M23 21v-2a4 4 0 0 0-3-3.87"/>
              <path d="M16 3.13a4 4 0 0 1 0 7.75"/>
            </svg>
-            담당: ${issue.assigned_full_name}
+            담당: ${assignedName}
          </span>
          ` : ''}
        </div>
@@ -196,7 +204,7 @@ function renderIssues(issues) {
        ${photos.length > 0 ? `
        <div class="issue-photos">
          ${photos.slice(0, 3).map(p => `
-            <img src="${baseUrl}${p}" alt="신고 사진" loading="lazy">
+            <img src="${baseUrl}${encodeURI(p)}" alt="신고 사진" loading="lazy">
          `).join('')}
          ${photos.length > 3 ? `<span style="display: flex; align-items: center; color: var(--gray-500);">+${photos.length - 3}</span>` : ''}
        </div>